Bug#924050: poppler-utils: pdfsig segfaults on signed PDF
Bernhard Übelacker
bernhardu at mailbox.org
Fri Mar 22 22:46:58 GMT 2019
Control: tags 924050 + upstream fixed-upstream patch
Dear Maintainer,
I tried to reproduce this crash, and received one with
this example file [1].
But due to the lack of the submitters original
file, this crash might be different.
However, following crash got already fixed upstream [2][3]
and released in poppler 0.72.0.
The upstream patch needed slight modification.
An poppler package built with that patch shows the
signature information successfully.
Kind regards,
Bernhard
[1] https://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
[2] https://gitlab.freedesktop.org/poppler/poppler/issues/669
[3] https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb
(gdb) bt
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
#1 0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
#2 SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:519
#3 0x00007f33db0d22a0 in SECMOD_AddNewModuleEx (moduleName=0x7f33dbcfce7d "Root Certs", dllPath=0x7f33dbcfce6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695
#4 0x00007f33dbcb1199 in SignatureHandler::SignatureHandler (this=0x7ffe927d1830, p7=0x5648cf9bed80 "0\202&\341\006\t*\206H\206\367\r\001\a\002\240\202&\322\060\202&\316\002\001\001\061\v0\t\006\005+\016\003\002\032\005", p7_length=10971) at ./poppler/SignatureHandler.cc:136
#5 0x00007f33dbbabb16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5648cf99b7f0) at ./poppler/Form.cc:1722
#6 FormFieldSignature::validateSignature (this=0x5648cf99b7f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689
#7 0x00005648ceee7a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979
-------------- next part --------------
A non-text attachment was scrubbed...
Name: a85c2ed8f4359341adb94887c4b551a761244fdb-adapted-to-debian.patch
Type: text/x-patch
Size: 1432 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20190322/06198303/attachment-0001.bin>
-------------- next part --------------
# Buster amd64 qemu VM 2019-03-22
apt update
apt dist-upgrade
apt install dpkg-dev devscripts systemd-coredump poppler-utils gdb poppler-utils-dbgsym libpoppler82-dbgsym libnss3-dbgsym mc
apt build-dep poppler
wget https://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
/usr/bin/pdfsig SampleSignedPDFDocument.pdf
mkdir /tmp/source/libnss3/orig -p
cd /tmp/source/libnss3/orig
apt source libnss3
cd
mkdir /tmp/source/poppler/orig -p
cd /tmp/source/poppler/orig
apt source poppler
cd
set width 0
set pagination off
directory /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap
bt
##########
benutzer at debian:~$ /usr/bin/pdfsig SampleSignedPDFDocument.pdf
Digital Signature Info of: SampleSignedPDFDocument.pdf
Internal Error (0): couldn't find default Firefox Folder
Speicherzugriffsfehler (Speicherabzug geschrieben)
[ 168.783249] pdfsig[14900]: segfault at 38 ip 00007f33db0d1c84 sp 00007ffe927d1750 error 4 in libnss3.so[7f33db08c000+f0000]
[ 168.783259] Code: b2 a5 fb ff 48 85 c0 74 0f 48 c7 00 00 00 00 00 48 c7 40 08 00 00 00 00 48 83 c4 08 c3 66 0f 1f 84 00 00 00 00 00 53 48 89 fb <48> 8b 7f 38 e8 f3 bb fb ff 83 43 40 01 48 8b 7b 38 e8 66 c9 fb ff
root at debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
Fri 2019-03-22 22:50:23 CET 14900 1000 1000 11 present /usr/bin/pdfsig
root at debian:~# coredumpctl gdb 14900
PID: 14900 (pdfsig)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 11 (SEGV)
Timestamp: Fri 2019-03-22 22:50:23 CET (1min 41s ago)
Command Line: /usr/bin/pdfsig SampleSignedPDFDocument.pdf
Executable: /usr/bin/pdfsig
Control Group: /user.slice/user-1000.slice/session-3.scope
Unit: session-3.scope
Slice: user-1000.slice
Session: 3
Owner UID: 1000 (benutzer)
Boot ID: 50d2a12e8a2f4f90a67993fe31495b4b
Machine ID: 32f43b50ac8c4b21941bc0b02f8e7811
Hostname: debian
Storage: /var/lib/systemd/coredump/core.pdfsig.1000.50d2a12e8a2f4f90a67993fe31495b4b.14900.1553291423000000.lz4
Message: Process 14900 (pdfsig) of user 1000 dumped core.
Stack trace of thread 14900:
#0 0x00007f33db0d1c84 SECMOD_ReferenceModule (libnss3.so)
#1 0x00007f33db0d21fc n/a (libnss3.so)
#2 0x00007f33db0d22a0 SECMOD_AddNewModuleEx (libnss3.so)
#3 0x00007f33dbcb1199 _ZN16SignatureHandlerC2EPhi (libpoppler.so.82)
#4 0x00007f33dbbabb16 _ZN18FormFieldSignature17validateSignatureEbbl (libpoppler.so.82)
#5 0x00005648ceee7a5d main (pdfsig)
#6 0x00007f33db77009b __libc_start_main (libc.so.6)
#7 0x00005648ceee7f4a _start (pdfsig)
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/pdfsig...(no debugging symbols found)...done.
[New LWP 14900]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/pdfsig SampleSignedPDFDocument.pdf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule () from /usr/lib/x86_64-linux-gnu/libnss3.so
(gdb) bt
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule () from /usr/lib/x86_64-linux-gnu/libnss3.so
#1 0x00007f33db0d21fc in ?? () from /usr/lib/x86_64-linux-gnu/libnss3.so
#2 0x00007f33db0d22a0 in SECMOD_AddNewModuleEx () from /usr/lib/x86_64-linux-gnu/libnss3.so
#3 0x00007f33dbcb1199 in SignatureHandler::SignatureHandler(unsigned char*, int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.82
#4 0x00007f33dbbabb16 in FormFieldSignature::validateSignature(bool, bool, long) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.82
#5 0x00005648ceee7a5d in main ()
root at debian:~# dpkg -S /usr/lib/x86_64-linux-gnu/libpoppler.so.82
libpoppler82:amd64: /usr/lib/x86_64-linux-gnu/libpoppler.so.82
root at debian:~# dpkg -S /usr/lib/x86_64-linux-gnu/libnss3.so
libnss3:amd64: /usr/lib/x86_64-linux-gnu/libnss3.so
Core was generated by `/usr/bin/pdfsig SampleSignedPDFDocument.pdf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
847 pk11util.c: Datei oder Verzeichnis nicht gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap
Source directories searched: /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap:$cdir:$cwd
(gdb) bt
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
#1 0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
#2 SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:519
#3 0x00007f33db0d22a0 in SECMOD_AddNewModuleEx (moduleName=0x7f33dbcfce7d "Root Certs", dllPath=0x7f33dbcfce6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695
#4 0x00007f33dbcb1199 in SignatureHandler::SignatureHandler (this=0x7ffe927d1830, p7=0x5648cf9bed80 "0\202&\341\006\t*\206H\206\367\r\001\a\002\240\202&\322\060\202&\316\002\001\001\061\v0\t\006\005+\016\003\002\032\005", p7_length=10971) at ./poppler/SignatureHandler.cc:136
#5 0x00007f33dbbabb16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5648cf99b7f0) at ./poppler/Form.cc:1722
#6 FormFieldSignature::validateSignature (this=0x5648cf99b7f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689
#7 0x00005648ceee7a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979
(gdb) bt full
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
No locals.
#1 0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
rv = SECSuccess
oldModule = <optimized out>
rv = <optimized out>
oldModule = <optimized out>
#2 SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:519
rv = <optimized out>
oldModule = <optimized out>
#3 0x00007f33db0d22a0 in SECMOD_AddNewModuleEx (moduleName=0x7f33dbcfce7d "Root Certs", dllPath=0x7f33dbcfce6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695
module = 0x5648cf9cdd40
result = SECFailure
s = <optimized out>
i = <optimized out>
slot = <optimized out>
#4 0x00007f33dbcb1199 in SignatureHandler::SignatureHandler (this=0x7ffe927d1830, p7=0x5648cf9bed80 "0\202&\341\006\t*\206H\206\367\r\001\a\002\240\202&\322\060\202&\316\002\001\001\061\v0\t\006\005+\016\003\002\032\005", p7_length=10971) at ./poppler/SignatureHandler.cc:136
No locals.
#5 0x00007f33dbbabb16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5648cf99b7f0) at ./poppler/Form.cc:1722
arrayLen = 4
sig_val_state = <optimized out>
cert_val_state = <optimized out>
signature_handler = {hash_length = 3483022560, CMSitem = {type = 2457671968, data = 0x2 <error: Cannot access memory at address 0x2>, len = 3482956816}, hash_context = 0x0, CMSMessage = 0x0, CMSSignedData = 0x0, CMSSignerInfo = 0x0, temp_certs = 0x0}
fileLength = <optimized out>
signature_len = 10971
signatureuchar = <optimized out>
arrayLen = <optimized out>
sig_val_state = <optimized out>
cert_val_state = <optimized out>
signature_len = <optimized out>
signatureuchar = <optimized out>
signature_handler = <optimized out>
fileLength = <optimized out>
i = <optimized out>
offsetObj = <optimized out>
lenObj = <optimized out>
offset = <optimized out>
len = <optimized out>
#6 FormFieldSignature::validateSignature (this=0x5648cf99b7f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689
arrayLen = <optimized out>
sig_val_state = <optimized out>
cert_val_state = <optimized out>
signature_len = <optimized out>
signatureuchar = <optimized out>
signature_handler = <optimized out>
fileLength = <optimized out>
i = <optimized out>
offsetObj = <optimized out>
lenObj = <optimized out>
offset = <optimized out>
len = <optimized out>
#7 0x00005648ceee7a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979
ranges = std::vector of length 1, capacity 1 = {94870720603936}
i = 0
doc = 0x5648cf99b410
sigCount = 1
fileName = 0x5648cf99b360
sig_info = <optimized out>
time_str = <optimized out>
sig_widgets = Python Exception <class 'gdb.error'> value has been optimized out:
win32Console = <optimized out>
exitCode = 99
ok = <optimized out>
(gdb) down
#0 0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
847 PZ_Lock(module->refLock);
(gdb) list pk11util.c:841,848
841 /*
842 * make a new reference to a module so It doesn't go away on us
843 */
844 SECMODModule *
845 SECMOD_ReferenceModule(SECMODModule *module)
846 {
847 PZ_Lock(module->refLock); <<<<<<<<<<
848 PORT_Assert(module->refCount > 0);
(gdb) print module
$1 = (SECMODModule *) 0x0
(gdb) up
#1 0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
541 newModule->parent = SECMOD_ReferenceModule(defaultDBModule);
(gdb) list pk11util.c:518,542
518 SECStatus
519 SECMOD_AddModule(SECMODModule *newModule)
520 {
521 SECStatus rv;
522 SECMODModule *oldModule;
523
524 /* Test if a module w/ the same name already exists */
525 /* and return SECWouldBlock if so. */
526 /* We should probably add a new return value such as */
527 /* SECDublicateModule, but to minimize ripples, I'll */
528 /* give SECWouldBlock a new meaning */
529 if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) {
530 SECMOD_DestroyModule(oldModule);
531 return SECWouldBlock;
532 /* module already exists. */
533 }
534
535 rv = secmod_LoadPKCS11Module(newModule, NULL);
536 if (rv != SECSuccess) {
537 return rv;
538 }
539
540 if (newModule->parent == NULL) {
541 newModule->parent = SECMOD_ReferenceModule(defaultDBModule); <<<<<<<<<<<
542 }
(gdb) print defaultDBModule
$2 = (SECMODModule *) 0x0
root at debian:~# dpkg -l | grep poppler
ii libpoppler82:amd64 0.71.0-3 amd64 PDF rendering library
ii libpoppler82-dbgsym:amd64 0.71.0-3 amd64 debug symbols for libpoppler82
ii poppler-data 0.4.9-2 all encoding data for the poppler PDF rendering library
ii poppler-utils 0.71.0-3 amd64 PDF utilities (based on Poppler)
ii poppler-utils-dbgsym 0.71.0-3 amd64 debug symbols for poppler-utils
root at debian:~# dpkg -l | grep nss3
ii libnss3:amd64 2:3.42.1-1 amd64 Network Security Service libraries
ii libnss3-dbgsym 2:3.42.1-1 amd64 debug symbols for libnss3
####################
https://gitlab.freedesktop.org/poppler/poppler/issues/669
https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb
cd /tmp/source/poppler
cp -a orig try1
cd try1/poppler-0.71.0
wget https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb.patch -O ../a85c2ed8f4359341adb94887c4b551a761244fdb.patch
patch -p1 --dry-run < ../a85c2ed8f4359341adb94887c4b551a761244fdb.patch
#checking file poppler/SignatureHandler.cc
#Hunk #1 FAILED at 114.
#1 out of 1 hunk FAILED
git init
git add .
git commit -m "Initial commit"
benutzer at debian:/tmp/source/poppler/try1/poppler-0.71.0$ cat ../a85c2ed8f4359341adb94887c4b551a761244fdb.patch
From a85c2ed8f4359341adb94887c4b551a761244fdb Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid at kde.org>
Date: Sat, 17 Nov 2018 19:29:16 +0100
Subject: [PATCH] Be more stubborn looking for a nssdb
Fixes issue #669
---
poppler/SignatureHandler.cc | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
index aedccf7a..6c510229 100644
--- a/poppler/SignatureHandler.cc
+++ b/poppler/SignatureHandler.cc
@@ -114,10 +114,19 @@ GooString *SignatureHandler::getDefaultFirefoxCertDB_Linux()
void SignatureHandler::init_nss()
{
GooString *certDBPath = getDefaultFirefoxCertDB_Linux();
+ bool initSuccess = false;
if (certDBPath == nullptr) {
- NSS_Init("sql:/etc/pki/nssdb");
+ initSuccess = (NSS_Init("sql:/etc/pki/nssdb") == SECSuccess);
} else {
- NSS_Init(certDBPath->c_str());
+ initSuccess = (NSS_Init(certDBPath->c_str()) == SECSuccess);
+ }
+ if (!initSuccess) {
+ GooString homeNssDb(getenv("HOME"));
+ homeNssDb.append("/.pki/nssdb");
+ initSuccess = (NSS_Init(homeNssDb.c_str()) == SECSuccess);
+ if (!initSuccess) {
+ NSS_NoDB_Init(nullptr);
+ }
}
//Make sure NSS root certificates module is loaded
SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0);
--
2.18.1
benutzer at debian:/tmp/source/poppler/try1/poppler-0.71.0$ grep "void SignatureHandler::init_nss" poppler/SignatureHandler.cc -A15 -n
114:void SignatureHandler::init_nss()
115-{
116- GooString *certDBPath = getDefaultFirefoxCertDB_Linux();
117- if (certDBPath == nullptr) {
118- NSS_Init("sql:/etc/pki/nssdb");
119- } else {
120- NSS_Init(certDBPath->getCString());
121- }
122- //Make sure NSS root certificates module is loaded
123- SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0);
124-
125- delete certDBPath;
126-}
127-
# merge patch
git add poppler/SignatureHandler.cc
git commit -m "a85c2ed8f4359341adb94887c4b551a761244fdb merged"
git format-patch -o .. -1
dpkg-buildpackage -b
dpkg -i /tmp/source/poppler/try1/{libpoppler82,libpoppler82-dbgsym,poppler-utils,poppler-utils-dbgsym}_0.71.0-3_amd64.deb
benutzer at debian:~$ /usr/bin/pdfsig SampleSignedPDFDocument.pdf
Digital Signature Info of: SampleSignedPDFDocument.pdf
Internal Error (0): couldn't find default Firefox Folder
Signature #1:
- Signer Certificate Common Name: John B Harris
- Signer full Distinguished Name: E=jbharris at adobe.com,CN=John B Harris,O=Adobe Systems Incorporated,L=San Jose,ST=CA,C=US
- Signing Time: Jul 16 2009 16:47:47
- Signing Hash Algorithm: SHA1
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 227012], [248956 - 272318]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate has Expired
More information about the Pkg-freedesktop-maintainers
mailing list